Skip links

Update 1 to SAP Security Note 1715734, SAP security note 2664504

Description

An authenticated user can use functions of dbpool, to which access should be restricted. This may result in an escalation of privileges.

This SAP Note supplements the corrections provided in SAP Security Note 1715734.

UPDATE 14th May 2019 : Solution provided by note 1715734 is partial. For complete solution implement this note. If you have not implemented 1715734, then implement only this note

Available fix and Supported packages

  • SAP-JEE | 6.40 | 6.40
  • SAP-JEECOR | 7.00 | 7.00
  • SAP-JEECOR | 6.40 | 6.40
  • SAP-JEECOR | 7.01 | 7.02
  • SERVERCORE | 7.10 | 7.10
  • SERVERCORE | 7.11 | 7.11
  • SERVERCORE | 7.20 | 7.20
  • SERVERCORE | 7.30 | 7.30
  • SERVERCORE | 7.31 | 7.31
  • SERVERCORE | 7.40 | 7.40
  • SERVERCORE | 7.50 | 7.50
  • J2EE ENGINE SERVERCORE 7.10 | SP012 | 000038
  • J2EE ENGINE SERVERCORE 7.10 | SP013 | 000032
  • J2EE ENGINE SERVERCORE 7.10 | SP014 | 000047
  • J2EE ENGINE SERVERCORE 7.10 | SP015 | 000031
  • J2EE ENGINE SERVERCORE 7.10 | SP016 | 000020
  • J2EE ENGINE SERVERCORE 7.10 | SP020 | 000022
  • J2EE ENGINE SERVERCORE 7.10 | SP021 | 000010
  • J2EE ENGINE SERVERCORE 7.10 | SP022 | 000005
  • J2EE ENGINE SERVERCORE 7.10 | SP023 | 000001
  • J2EE ENGINE SERVERCORE 7.10 | SP024 | 000000
  • J2EE ENGINE SERVERCORE 7.11 | SP007 | 000040
  • J2EE ENGINE SERVERCORE 7.11 | SP008 | 000047
  • J2EE ENGINE SERVERCORE 7.11 | SP009 | 000052
  • J2EE ENGINE SERVERCORE 7.11 | SP010 | 000039
  • J2EE ENGINE SERVERCORE 7.11 | SP011 | 000030
  • J2EE ENGINE SERVERCORE 7.11 | SP015 | 000022
  • J2EE ENGINE SERVERCORE 7.11 | SP016 | 000010
  • J2EE ENGINE SERVERCORE 7.11 | SP017 | 000007
  • J2EE ENGINE SERVERCORE 7.11 | SP018 | 000002
  • J2EE ENGINE SERVERCORE 7.11 | SP019 | 000000

Affected component

    BC-JAS-TRH
    Transactions and Resource Handling

CVSS

Score: 4.7
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/2664504

TAGS

#Authorization
#authorization-check
#dbpool
#update
#update-note